[cabfpub] Delegated Third Parties, Network Security Requirements, and Audits

Gervase Markham gerv at mozilla.org
Tue May 17 10:52:05 UTC 2016

On 14/05/16 02:57, Peter Bowen wrote:
> Does anyone else have opinions on how Delegated Third Parties should
> be handled?

I think a CA is ultimately responsible for their operations, no matter
who they delegate to, and those operations need to be audited the same
way whether they run them themselves or other people run them.

I can see potential economies if several CAs are sharing infrastructure,
but that has to be balanced against the possible problems of things
"falling through the gaps" between several audit components.

I'd say that if CAs sharing infrastructure want to take advantage of
those economies, then they need to synchronise their audit periods and
all engage the same auditor, who can then do a single inspection of the
shared infrastructure and use the results to write multiple reports.


More information about the Public mailing list